Commit 20798927 authored by Nigel McNie's avatar Nigel McNie
Browse files

Make the render_self() implementation for internal artefacts escape the title,...

Make the render_self() implementation for internal artefacts escape the title, as they shouldn't have HTML in them.

I don't think this is actually called anywhere so it's not a security vuln or anything - the implementation is just there to complete the api.
parent 5077b3d3
......@@ -350,7 +350,7 @@ class ArtefactTypeProfileField extends ArtefactTypeProfile {
}
public function render_self($options) {
return array('html' => $this->title, 'javascript' => null);
return array('html' => hsc($this->title), 'javascript' => null);
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment